UK data regulator hits 23andMe with £2.31 million fine for genetic breach

The UK Information Commissioner's Office (ICO) imposed a £2.31 million penalty on genetic testing company 23andMe on June 5, 2025, following a credential stuffing attack that exposed personal data of 155,592 UK customers. The attack lasted over five months during 2023, making it one of the most significant genetic data breaches to date.

According to the penalty notice, hackers accessed DNA relatives profiles, ancestry reports, family tree information, and genetic health data through compromised customer accounts. The threat actor specifically targeted customers based on racial and ethnic backgrounds, particularly those of Ashkenazi Jewish descent.

23andMe failed to implement mandatory multi-factor authentication (MFA) until after the breach was discovered in October 2023. Only 0.2% of the company's global customer base had enabled MFA at the time of the attack, while an additional 21.5% used single sign-on services. None of the accounts with these additional security measures were successfully compromised.

Summary

Who: 23andMe, Inc., a US-based genetic testing company, and 155,592 UK customers affected by the breach. The UK Information Commissioner's Office imposed the penalty.

What: A credential stuffing cyberattack lasting over five months exposed DNA relatives profiles, ancestry reports, health data, and raw genetic information. Hackers specifically targeted customers based on racial and ethnic characteristics.

When: The attack occurred from April 29 to October 2023, with the penalty announced June 5, 2025.

Where: The attack affected 23andMe's global platform but the penalty focuses on 155,592 UK customers. The company is based in San Francisco with customers worldwide.

Why: 23andMe failed to implement mandatory multi-factor authentication, adequate password policies, effective monitoring systems, and appropriate security testing. The company also ignored multiple warning signs that could have detected the attack earlier.

Five-month attack window exposed genetic information

The attack began on April 29, 2023, when hackers used recycled passwords from other breached websites to access 23andMe accounts. Between May 1 and September 18, 2023, the threat actor conducted approximately 273,465 unsuccessful login attempts and 14,601 successful logins across thousands of IP addresses.

Through the DNA Relatives feature, attackers gained access to personal information shared between genetically related customers. This included display names, predicted relationships, percentage of shared DNA, ancestry reports, geographic locations, birth years, and family tree data for connected relatives.

The ICO investigation revealed that 120,031 UK customers had their DNA Relatives profiles accessed, while 35,561 had Family Tree profiles compromised. Health-related information was accessed for 323 customers, including genetic health risks and self-reported medical conditions. Raw genetic data - the complete uninterpreted genetic code - was accessed for two UK customers.

Multiple security failures enabled sustained attack

The penalty notice details systematic security failures spanning years. 23andMe had not mandated MFA, despite it being offered as an optional feature since 2019. The company also failed to implement device fingerprinting, password strength requirements, or comprehensive monitoring for suspicious activity.

Password requirements were particularly weak. The company maintained only an eight-character minimum with no complexity requirements. Their database checked passwords against just 20,000 compromised credentials from haveibeenpwned.com, while having access to a paid service that could check against 14 billion compromised passwords.

The company's logging systems contained critical flaws. Raw genetic data downloads were logged with an internal IP address instead of the actual user's address, making it impossible to track which downloads were initiated by attackers. This misconfiguration was only discovered during the internal investigation months later.

Warning signs ignored for months

23andMe missed multiple opportunities to detect the attack earlier. On July 6, 2023, over one million login attempts caused the platform to become temporarily inoperable. Between July 28-30, attackers unsuccessfully attempted to transfer ownership of approximately 400 customer profiles.

More significantly, in August 2023, an individual claiming to have obtained data from over 10 million customers directly contacted 23andMe through customer service channels. Despite posting samples of stolen data on dark web forums, 23andMe's security team dismissed these warnings as a "hoax" within four days and closed the incident.

The company's security alerts failed to detect the unusual patterns. While attackers rotated through thousands of IP addresses to avoid rate limiting, they created a significant distortion in the ratio of successful to unsuccessful login attempts that monitoring systems should have flagged.

Targeted ethnic profiling raises discrimination concerns

Evidence suggests attackers specifically targeted customers based on ethnic and racial characteristics. Dark web forum posts advertised "Ashkenazi DNA Data of Celebrities," "Chinese Ancestry," "British Ancestry," and "German Ancestry" datasets.

One forum post dated October 17, 2023, specifically mentioned "information on all wealthy families serving Zionism" and threatened to release "hundreds of TBs of data" in response to Middle Eastern conflicts. The threat actor stated the data was "in safer hands than with 23andMe."

UK customers reported significant distress from the breach. One affected individual told the ICO they felt "extremely anxious about what this could mean to my personal, financial and family safety in future." Another customer noted their account had "a Jewish identifier associated with it" and expressed concern about targeting specific groups using DNA data during periods of increased antisemitic violence.

Company's financial collapse complicates enforcement

The penalty amount was reduced from an initial £4.59 million proposal due to 23andMe's deteriorating financial condition. The company filed for Chapter 11 bankruptcy protection on March 23, 2025, with accumulated deficits of $2.4 billion and just $79.4 million in unrestricted cash.

23andMe's entire board of directors resigned in September 2024, and the company has eliminated approximately 40% of its workforce. CEO Anne Wojcicki resigned on March 23, 2025, to pursue a buyout bid. A court hearing to approve the company's sale is scheduled for June 17, 2025.

The ICO determined that imposing a monetary penalty remained appropriate despite the company's financial distress. The £2.31 million fine represents approximately 2.3% of 23andMe's projected annual turnover for 2025.

Implications for marketing industry data security

The case highlights critical security requirements for companies processing sensitive personal data, particularly relevant as digital marketing increasingly relies on privacy-enhanced technologies. Marketing platforms collecting genetic, health, or biometric data face heightened scrutiny from regulators worldwide.

Recent enforcement actions demonstrate regulators' focus on data security across marketing technologies. The German data protection authority recently fined an IT company €10,000 for unauthorized email marketing using publicly available data without consent. Similarly, TikTok received a €530 million penalty from Irish regulators over data transfers to China.

For marketing professionals, the 23andMe case underscores essential security practices. Companies must implement mandatory multi-factor authentication, comprehensive password policies, real-time monitoring for suspicious activity, and regular security testing that includes credential stuffing scenarios.

The breach also demonstrates risks inherent in data sharing features common across marketing platforms. When personal data is shared between users or accounts, security failures can exponentially increase the number of affected individuals beyond the directly compromised accounts.

Industry-wide security reassessment needed

The ICO's penalty notice emphasizes that genetic data cannot be changed like passwords or phone numbers, making breaches particularly damaging. This principle applies broadly to marketing technologies processing biometric data, device fingerprints, or other immutable identifiers.

Technical security measures must match the sensitivity of processed data. The ICO found 23andMe's security measures inappropriate for the risks posed by genetic data processing, particularly given the company's business model facilitating extensive data sharing between customers.

Companies in the marketing ecosystem should review their authentication requirements, monitoring capabilities, and incident response procedures. The 23andMe case shows that threat actors may persist for months while rotating through thousands of IP addresses to avoid detection.

Regular penetration testing should specifically include credential stuffing scenarios, as these attacks represent a primary threat vector against consumer-facing platforms. Organizations must also ensure logging systems capture accurate information needed for effective incident response.

Current timeline and next steps

The penalty notice follows a joint investigation by the ICO and Office of the Privacy Commissioner of Canada that began in June 2024. 23andMe has 28 days to appeal the penalty to the First-tier Tribunal.

As of December 31, 2024, the ICO determined that 23andMe had implemented appropriate security measures to address the identified vulnerabilities. These include mandatory email-based two-factor authentication, enhanced password requirements, improved monitoring systems, and additional verification for raw genetic data downloads.

The company must pay the £2.31 million penalty by July 10, 2025, though enforcement is suspended pending potential appeals and the outcome of bankruptcy proceedings.

Timeline

• April 29, 2023: Credential stuffing attack begins
• July 6, 2023: Platform disruption from login attempts 
• August 10-11, 2023: Threat actor contacts 23andMe directly
• October 1, 2023: Attack discovered through Reddit post
• October 15, 2023: First breach report to ICO
• November 9, 2023: Mandatory MFA implemented
• June 2024: Joint ICO-OPC investigation begins
• March 23, 2025: 23andMe files for bankruptcy
• June 5, 2025: £2.31 million penalty announced